Where to start with Cyber Security?
I’m frequently asked, ‘where should we start with Cyber Security?’.
I generally talk about the following 6 areas and you may be familiar with some of these. However, even if you have already implemented them, a regular IT security review is a very worthwhile exercise.
Many actions sound simple, yet I’m always surprised how often even basic security isn’t used.
These are my top security tips, which should help you to answer the following security questions.
- How has access to information been restricted to only the people who need access?
- Who controls administrator level access to our systems?
- Do we only use named and certified engineers?
- How do we prove all our devices are updated and protected?
- Where are our security procedures documented?
When asking questions about IT security; listen for answers which are supported by documentation, and be extremely wary of detailed technical explanations without supporting evidence.
1. Use a firewall
In its most basic form, a firewall is used to control how a computer connects to a network. There are different types of firewalls. Windows and Mac computers have a software firewall built in. You may use a hardware firewall to connect your network to the Internet. Specialist software can come with an application firewall also known as Web Application Firewalls (WAF).
To be effective firewalls require careful configuration, monitoring of alerts, and regular management.
2. Keep devices and apps up to date
One of the simplest steps to improve security is to ensure all equipment (phones, tablets, computers, routers, access points, etc) is kept up to date.
Only use hardware, operating systems and apps with support (unless a special provision has been made to isolate legacy systems). Manufacturers usually provide updates which address security vulnerabilities, apply these.
Recognise that all equipment has a limited life, stay mindful of warranty dates. When the manufacturer no longer supports their system, plan for replacement.
For computers, tablets and phones, allowing security updates to be automatically installed is an effective option.
Updates for network and server equipment should also be managed regularly, however (unless you are using managed orchestration) resit allowing automatic updates and complete these with care and a current backup.
3. Protect systems from malware
Malicious software, malware and viruses are designed to infect systems and usually take advantage of out of date apps or equipment, or poorly configured systems.
The most common malware attack is via email, and basic email spam rules are no longer sufficient, advanced email protection is essential and particularly effective when combined with regular user security awareness.
4. Backup your data
At a minimum, a good start to data backup is the 321 backup rule, which states;
3 copies of the data, across
2 different media types, with
1 copy offsite.
Ensure your backup protocol is documented and the backups are verified on a regular basis. Resist the backup checks being completed by the same person who setup the backup.
A good backup regime includes encryption and catalogued data, and this is particularly important when using external storage or an outside agency for storage.
Whilst cloud sync tools can be part of a strong backup solution, an automatic file sync is not a backup.
5. Use trained engineers to configure security
Default configurations for software and devices are designed to be open and as functional as possible to maximise usability. Beware, using these default settings without configuration provides attackers with broad opportunities to easily gain unauthorised access to data.
Engineers with certificated skills, knowledge and experience will ensure the most appropriate level of security is achieved, maintained and documented.
Regularly check the configuration of systems and implement changes to raise security. Removing or restricting functions which are not required is a good place to start.
Use controlled credentials
New equipment always comes with default credentials. These default details are the easiest to defeat and must be changed. When implemented correctly, unique usernames and passwords are a simple and effective way to ensure systems and data can only be accessed by authorised users.
For additional security, use Multi Factor Authentication, sometimes known as MFA.
6. Control who has access to your data
Routinely check what privileges your accounts have. If you have access to administrator level accounts, only use these for the management of other user level accounts. Resist accessing the Internet or using apps when logged in with administrator privileges.
These are routine and individually named accounts with just enough access to the data, software and services for each user to perform their role. Additional permissions should only be given to users who need them.
These accounts have elevated privileges and unauthorised use of an administrative account provides significantly greater network access and a larger opportunity to steal information and cause damage.
It’s widely assumed that administrators must have access to user’s data. A secure implementation can protect and encrypt data so ‘admins’ do not have access to user’s data.
If you’d like a confidential security discussion, please feel welcome to contact Sytec.
Why choose to work with Sytec?
- We focus on reducing risk
- Our work and checks are separated independent processes
- We consider compliance and security checks as the default
- You will know which engineer has access and when they took action
- You will have phone, email and face to face access to security certified engineers
Sytec provides IT security, audit, consulting, and support services to a broad range of businesses. Based in Salisbury, engineers are available to respond on a same day basis with ad-hoc or emergency requests, and within minutes for customers with a prepaid pool of consultative support.
We enjoy representing many other companies who require sub-contract IT field engineers, please see sytec.co.uk/subcontract to learn more about our coverage and response.